Managing SteelHeads : Managing User Permissions
  
Managing User Permissions
You can change the administrator or monitor passwords and define users in the Administration > Security: User Permissions page.
Accounts
The system uses these accounts based on what actions the user can take:
•  Admin - The system administrator user has full privileges. For example, as an administrator you may set and modify configuration settings, add and delete users, restart the optimization service, reboot the SteelHead, and create and view performance and system reports. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.
•  Monitor - A monitor user may view reports, view user logs, and change their password. A monitor user can’t make configuration changes, modify private keys, view logs, or manage cryptographic modules in the system.
You can also create users, assign passwords to the user, and assign varying configuration roles to the user.
An administrator role configures a system administrator role. Read-only permission isn’t allowed for this role. This role allows permission for all other RBM roles, including creating, editing and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself.
A user role determines whether the user has permission to:
•  Read-only - With read-only privileges you can view current configuration settings but you can’t change them.
•  Read/Write - With read and write privileges you can view settings and make configuration changes for a feature.
•  Deny - With deny privileges you can’t view settings or save configuration changes for a feature.
As an example, you might have user Jane who can make configuration changes to QoS and SSL whereas user John can only view these configuration settings; and finally, user Joe can’t view, change, or save the settings for these features.
Available menu items reflect the privileges of the user. For example, any menu items that a user doesn’t have permission to use are unavailable. When a user selects an unavailable link, the User Permissions page appears.
Combining Permissions By Feature
RiOS 9.0 and later require additional user permissions for path selection and QoS. For example, to change a QoS rule, a user needs read/write permission for the Network Settings role in addition to read/write permission for QoS.
This table summarizes the changes to the user permission requirements for RiOS 9.0 and later.
Management Console Page
To Configure This Feature or Change This Section
Required Read Permission
Required Read/Write Permission
Networking > Topology: Sites & Networks
Networks
Network Settings Read-Only
Network Settings Read/Write
 
Sites
Network Settings Read-Only
QoS Read-Only
Path Selection Read-Only
Network Settings Read/Write
QoS Read/Write
Path Selection Read/Write
Networking > App Definitions: Applications
Applications
Network Settings Read-Only
 
Network Settings Read/Write
 
Networking > Network Services: Quality of Service
Enable QoS
Network Settings Read-Only
Network Settings Read/Write
 
Manage QoS Per Interface
Network Settings Read-Only
Network Settings Read/Write
 
QoS Profile
QoS Read-Only
QoS Read/Write
 
QoS Remote Site Info
Network Settings Read-Only
QoS Read-Only
N/A
Networking > Network Services: QoS Profile Details
Profile Name
QoS Read-Only
QoS Read/Write
 
QoS Classes
QoS Read-Only
QoS Read/Write
 
QoS Rules
QoS Read-Only
Network Settings Read/Write
QoS Read/Write
Path Selection
Enable Path Selection
Network Settings Read-Only
Network Settings Read/Write
 
Path Selection Rules
Network Settings Read-Only
Path Selection Read-Only
Network Settings Read/Write
Path Selection Read/Write
 
Uplink Status
Network Settings Read-Only
Path Selection Read-Only
Reports Read/Write
N/A
Outbound QoS Report
 
QoS Read-Only
QoS Read/Write
Inbound QoS Report
 
QoS Read-Only
QoS Read/Write
Host Labels
 
Network Settings Read-Only
or
QoS Read-Only
Network Settings Read/Write
or
QoS Read/Write
Port Labels
 
Network Settings Read-Only
or
QoS Read-Only
Network Settings Read/Write
or
QoS Read/Write
To configure user permissions
1. Choose Administration > Security: User Permissions to display the User Permissions page.
Figure: User Permissions Page
2. Under Accounts, complete the configuration as described in this table.
Control
Description
admin/monitor
Click the right arrow to change the password or to create a default user account.
 
Change Password - Enables password protection.
Password protection is an account control feature that allows you to select a password policy for more security. When you enable account control on the Administration > Security: Password Policy page, a user must use a password.
When a user has a null password to start with, the administrator can still set the user password with account control enabled. However, once the user or administrator changes the password, it can’t be reset to null as long as account control is enabled.
Password - Specify a password in the text box.
Password Confirm - Retype the new administrator password.
Enable Account - Select to enable or clear to disable the administrator or monitor account.
When enabled, you may make the account the default user for Radius and TACACS+ authorization. You may only designate one account as the default user. Once enabled, the default user account may not be disabled or removed. The Accounts table displays the account as permanent.
3. Under Accounts, complete the configuration as described in this table.
Control
Description
Add a New Account
Click to display the controls for creating a new account.
Account Name
Specify a name for the account.
Password
Specify a password in the text box, and then retype the password for confirmation.
Enable Account
Select the check box to enable the new account.
Administrator
Configures a system administrator role. This role allows permission for all other RBM roles, including creating, editing, and removing user accounts. The system administrator role allows you to add or remove a system administrator role for any other user, but not for yourself. Read-only permission is not allowed for this role.
User
Configures a role that determines whether the user:
•  Has permission to view current configuration settings but not change them (Read-Only).
•  Has permission to view settings and make configuration changes for a feature (Read/Write).
•  Is prevented from viewing or saving settings or configuration changes for a feature (Deny).
General Settings
Configures per-source IP connection limit and the maximum connection pooling size.
Network Settings
Configures these features:
•  Topology definitions
•  Site and network definitions
•  Application definitions
•  Host interface settings
•  Network interface settings
•  DNS cache settings
•  Hardware assist rules
•  Host labels
•  Port labels
You must include this role for users configuring path selection or enforcing QoS policies in addition to the QoS and Path Selection roles.
QoS
Enforces QoS policies. You must also include the Network Settings role.
Path Selection
Configures path selection. You must also include the Network Settings role.
Optimization Service
Configures alarms, performance features, SkipWare, HS-TCP, and TCP optimization.
In-Path Rules
Configures TCP traffic for optimization and how to optimize traffic by setting in-path rules. This role includes WAN visibility to preserve TCP/IP address or port information.
For details about WAN visibility, see the SteelHead Deployment Guide.
CIFS Optimization
Configures CIFS optimization settings (including SMB signing) and Overlapping Open optimization.
HTTP Optimization
Configures enhanced HTTP optimization settings: URL learning, Parse and Prefetch, Object Prefetch Table, keepalive, insert cookie, file extensions to prefetch, and the ability to set up HTTP optimization for a specific server subnet.
Oracle Forms Optimization
Optimizes Oracle E-business application content and forms applications.
MAPI Optimization
Optimizes MAPI and sets Exchange and NSPI ports.
NFS Optimization
Configures NFS optimization.
Notes Optimization
Configures Lotus Notes optimization.
Citrix Optimization
Configures Citrix optimization.
SSL Optimization
Configures SSL support and the secure inner channel.
Replication Optimization
Configures the SRDF/A, FCIP, and SnapMirror storage optimization modules.
Storage Service
Configures branch storage services on SteelFusion Edge appliances (the branch storage services are only available on a SteelHead EX or SteelFusion Edge).
Security Settings
Configures security settings, including RADIUS and TACACS authentication settings and the secure vault password.
Basic Diagnostics
Customizes system diagnostic logs, including system and user log settings, but doesn’t include TCP dumps.
TCP Dumps
Customizes TCP dump settings.
Reports
Sets system report parameters.
Domain Authentication
Allows joining a Windows domain and configuring Windows domain authentication.
Citrix Acceleration
Configures Citrix optimization.
Add
Adds your settings to the system.
Remove Selected Accounts
Select the check box next to the name and click Remove Selected.
4. Click Save to Disk to save your settings permanently.
Note: RiOS ignores the RBM user roles for SteelHead SaaS features. RiOS allows RBM users with DENY permissions in all roles access to SteelHead SaaS Management Console pages and GUI commands.